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Abstract 

We study the problem of general entanglement pm'ification protocols. Suppose Alice and Bob 
share a bipartite state p which is "reasonably close" to perfect EPR pairs. The only information Alice 
and Bob possess is a lower bound on the fidelity of p and a maximally entangled state. They wish to 
"purify" p using local operations and classical communication and create a state that is arbitrarily 
close to EPR pairs. We prove that on average, Alice and Bob cannot increase the fidelity of the input 
state significantly. We also construct protocols that may fail with a small probability, and otherwise 
will output states arbitrarily close to EPR pairs with very high probability. Our constructions are 
efficient, i.e., they can be implemented by polynomial-size quantum circuits. 

1 Introduction 

Random bits are an important computational resource in the randomized computation. There has been 
a lot of work on extracting good random bits from imperfect sources of randomness. The beginning of 
this study goes back to at least von Neumann 



N51] who showed that a hnear number of perfect random 



bits can be extracted from independent tosses of a biased coin. More recent research has constructed 
extractors [|NT99| , [r99| which can extract almost perfect random bits from any source with a certain 
min-entropy without any other assumptions. The best constructions of extractors allow to extract a 
number of random bits close to the min-entropy of the random source with min-entropy if we can use 



a polylogarithmic number of perfect random bits | TUZOl | . 

Quantum entanglement is an important resource in quantum computation, similar to random bits 
in probabilistic computation. It comes in the form of Einstein-Podolsky-Rosen pairs. An EPR pair is 
the state of two quantum bits -^(| 00) + | 11)) shared by two parties, with one party (Alice) holding 

one quantum bit and the other party (Bob) holding the second bit. This is the quantum counterpart 
of a random bit shared by two parties. 



Einstein-Podolsky-Rosen I EPR35 1 (EPR) pairs are among the most interesting objects of study in 
quantum mechanics and quantum information theory. They behave very differently from classical 
random bits shared by two parties. The phenomenon of having entangled states separated by space is 
one of the quintessential features in quantum mechanics and it has no analogue in classical physics. 

Besides being conceptually interesting in quantum mechanics, EPR pairs are also very useful in 
quantum information theory. Using an EPR pair, Alice and Bob can perform quantum teleportation. 
Using only local operations and classical communication (LOCC), Alice can "transport" a qubit to Bob, 
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who could be miles away from Alice | BBC+93 [. So EPR pairs, along with a classical communication 
channel, effectively constitute a quantum channel. Conversely, "superdense coding" is possible with 
EPR pairs: if Alice and Bob share an EPR pair, then Alice can transport 2 classical bits to Bob by just 



sending one qubit |BW92] 



For the teleportation and dense coding to work perfectly, perfect EPR pairs are needed. Nevertheless, 
individual qubits are prone to errors, which may end up creating imperfect EPR pairs. These imperfect 
EPR pairs behave like a noisy channel — qubits teleported with these EPR pairs can become distorted. 

This creates the need for generating perfect (or almost perfect) EPR pairs from imperfect ones. This 
is known as "entanglement purification". Bennett et. al. [|BBP+96a| ] gave a protocol for the case that 
Alice and Bob share identical copies of the pure state | (p) = {cos6\ 01) + sm6\ 10)). This was extended 
to the case when Alice and Bob share identical copies of a m ixed stat e f|BBP+96b| , |BDS+9q , |HHH96|] . 



Vidal V99|], and subsequently, Jonathan and Plenio [ JP99 |, Hardy | H99 |, and Vidal, Jonathan, and 



Nielsen [ VJNO0(] considered extracting entanglement from a single copy of an arbitrary pure state 



assuming that we know a complete description of the state. 

All of this work uses relatively simple models for imperfect EPR pairs. The model where Alice 
and Bob share identical copies of the same state corresponds to generating perfect random bits from 
the sequence of i.i.d. biased coin flips. Extracting entanglement from a single copy of a known state 
corresponds to constructing uniform/almost uniform random bits from a biased distribution if we know 
a complete description of the distribution. Both of those are very easy tasks classically but dealing with 
quantum states makes them much harder. 

Can we extract entanglement if we do not have such a detailed knowledge of the quantum state 
(like extractors in the classical setting which work for any probability distribution satisfying certain 
constraints)? This is the question that we consider in this paper. 

1.1 Our error model 

We no longer assume that there is a single "distortion" operator that acts independently on each qubit 
pair, neither do we assume that Alice and Bob have complete information about the distortion. The 
only assumption that we have is that the distortion is not very large. More precisely, we assume that 
Alice and Bob share a state p with fidelity at least (1 — e)Q We call this model of imperfect EPR pairs 
the "General Error" model. We call the protocols for this model General Entanglement Purification 
Protocols (GEPPs) 

In the General Error model, the techniques used in previous literature don't appear to work. Some 
of the techniques rely on the Law of Large Number heavily. For example, both the "Schmidt projection" 
method [ BBP+96a ] and the "hashing" method | BDS+9^ ] try to reduce the state to a "typical sequence" 



and then do purification over the typical sequences. In the General Error model, it is not clear what a 
"typical sequence" would be. Some techniques, like the "Procrustean" method pBP+96a ], are designed 



to work with individual states that Alice and Bob have complete knowledge of. Apparently they don't 
work in the General Error model, where Alice and Bob only have very limited information about the 
state they share. In fact it is not obvious if Alice and Bob can do anything at all to extract EPR pairs 
in this model. 

1.2 Our Contribution 

Some features about GEPPs are: 

1. Arbitrary Maximally Entangled States 

Instead of working only with EPR pairs, a GEPP works with arbitrary maximally entangled states. 
In every symmetric bipartite system of dimension T x T, there exist a maximally entangled state 
= YlJ=o I ^"^1 III the case that T is a power of 2, is the state of log2 T EPR pairs. 



^Most of the time in this paper, we are interested in the fidehty of a state p and a (pre-defined) maximally entangled 
state (e.g., an EPR pair). In this case, we simply use the "fidelity of state p" to denote the fidelity of p and the pre-defined 
maximally entangled state of appropriate dimension. 



2 



Thus, extracting EPR pairs is a particular case of our setting. We note that, by a result of Nielsen 
| N99| ], Alice and Bob can transform ^'at into for any M < N. Therefore, if we want the final 



state to be a set of EPR pairs, we can just add a step at the end of protocol that maps ^'at to 
^'2Liog^vJ s-iicl obtain a state of [log2 -/VJ EPR pairs. 

2. Auxiliary Input 

Besides an input state p, a GEPP also has a maximally entangled state as auxiliary input. 
This assumption is similar to having extra perfect random bits in randomness extractors. 

3. Possibility to Fail 

We allow a GEPP to fail with a reasonably low probability. As we will prove later, a GEPP that 
never fails won't be able to increase the fidelity of the input state significantly, even if it has an 
extra input ^k- However, if we allow a GEPP to fail, then in the case that it doesn't fail, it will 
be able to output states of very high fidelity with very high probability. In general, a GEPP will 
either output a special symbol FAIL or output a state, which has (hopefully) very high fidelity. 

We consider 3 types of GEPPs. Roughly speaking, we say a GEPP is absolutely successful, if 
it never fails, and always outputs a state of very high fidelity. We say a GEPP is deterministically 
conditional successful, if the probability it fails is small, and when it doesn't fail, it will output a state 
of very high fidelity with certainty. We say a GEPP is probabilistically conditionally successful, if the 
probability it fails is small, and in the case it doesn't fail, it outputs a state of very high fidelity with 
high probability. Each definition is a generalization of the previous one: an absolutely successful GEPP 
is deterministically conditionally successful, and a deterministically successful GEPP is probabilistically 
conditionally successful. We prove the following results: 

1. There don't exist absolutely successful GEPPs with "interesting" parameters. To be more precise, 
we prove the following result: Suppose Alice and Bob share a state of fidelity 1 — e, and they have 
an auxiliary input ^k- They then perform LOCC to create a state a in a subspace of dimension 
M X M. Then the maximal fidelity Alice and Bob can guarantee about the state a is at most 
1 — — If K is significantly smaller than M improvement of fidelity is very small. In 
other words, Alice and Bob cannot arbitrarily increase the average fidelity of the input state. 

2. There exist deterministically conditionally successful GEPPs for states in the diagonal subspace. 
A diagonal subspace is spanned by states of the form X^jOjl i)^\ i)^ ■ As we will show later, a 
state in the diagonal subspace is "easy" to work with and there exists an efficient protocol that 
is deterministically conditionally successful. For an input state of fidelity 1 — e, the protocol will 
fail with probability at most e, and when it doesn't fail, it always outputs a state of fidelity 1 — j^, 
where L is a parameter that can be made very large. We call our protocol the "Simple Scrambling 
protocol" . The Simple Scrambling protocol is optimal in the sense that the average fidelity of its 
output matches the upper bound asymptotically. 

3. There exist probabilistically conditionally successful GEPPs for arbitrary states. We present a 
protocol, namely the "Hash and Compare protocol". The Hash and Compare protocol converts 
an arbitrary state | (/>) of fidelity 1 — e to another state oi fidelity at least 1 — e, such that | (j)') 
is "almost" in the diagonal subspace. Then the Simple Scrambling protocol can be used on state 
I (/)') to create a state with very high fidelity. 

Both the Simple Scrambling protocol and the Hash and Compare protocol are efficient, i.e., they 
can be implemented by polynomial-size quantum circuits. We present the precise definitions and results 
in the next section. 



2 Notations and Definitions 
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2.1 General Notations 



All logarithms are base-2. We use [N] to denote the set {0, 1, ...,N — 1}. We identify an integer with 
its binary representation, and view its binary representation as a bit vector. The XOR of two integers 
X and y, denoted hy x (By, is the XOR of the two bit vectors x and y represent. The inner product of x 
and y, denoted by x»y, is defined as the inner product in GF2 of the two bit vectors x and y represent. 

We study quantum systems of finite dimension. We identify a pure state (written in the "braket" 
notation as | ^)) with a (column) vector of unit length. We identify a mixed state with the density 
matrix of this state. For a quantum system whose states lie in the Hilbert space H of dimension N, we 
always assume that it has a canonical computational basis and we denote it by {| 0), 1 1), | N — 1)}. 
Furthermore, we often denote ] 0) G H by j Zn) to specify the dimension of this state. 

We are mostly interested in symmetric, bipartite quantum systems, namely, systems shared between 
Alice and Bob, whose states lie in a Hilbert space rL = H^® and n^ = n^. Alice can access H 
and Bob can access Ti^ . We always superscript subspaces and states to distinguish states accessible by 
Alice and Bob. For example, a general bipartite state | ip) can written in the following way: 

\^) = Y.^^^i)^\j)'' 

i,j 

where | i)^ denotes the state of Alice and | j)^ denotes the state of of Bob. We sometimes subscript a 
space by its dimension. For example, Hn nieans a space of dimension A^. 

A quantum state is unentangled if it is of the form ■ Any other pure state in H^i^H^ is 

entangled. For a pure state | ip) in a bipartite system, we define its entanglement to be the von Neumann 
entropy of the reduced sub-system of Bob when we trace out Alice: 

E{\^)) = S{TrA{\v)m (1) 

where S{p) = —Tr{plogp) is the von Neumann entropy. We have S = if and only the state is 
unentangled. For mixed states, a mixed state p is unentangled if and only if it is equivalent to a state 
that is a mixture of pure states | ipi) with probabilities pi. Any other mixed state is entangled. However, 
there is no universally agreed definition for the amount of entanglement in a mixed state. 

If we denote the dimension of by N, then the maximum amount of entanglement in this system 
is log A". We define the state ^' at to be 

* 1=0 

It is a maximally entangled state in <S) . Notice it is a state in a space of dimension N^. In 
particular, if A?^ is a power of 2: AT = 2", then the state is the state of n EPR pairs. We call this 
special kind of states EPR states. 

2.2 Diagonal Subspaces 

For a symmetric, bipartite system H = <S) H^, we denote by TiP the A-dimensional subspace 
spanned by 

and we call it the diagonal subspace of Tiff (8) Hff. The reason for the name is: for a general state 

\v) = J2»ij\i)''\j)^ 
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we can write its coefficients (totally N'^ of them) in a matrix form, where the (z, j)-th entry is ajj-, then 
the elements in TiP correspond to the diagonal matrices. Notice that this definition is also consistent 



with the "Bell-diagonal" |BDS+9£] states for = 2. A mixed state p is in the diagonal subspace, if 



there exists a decomposition of p: 

P = "^Pi ■ \4>i){<t)i\ 

i 

such that all pure states | (j)i) are in the diagonal subspace. 
2.3 Fidelity 

For two (mixed) states p and a in the same quantum system, their fidelity is defined as 

F(p,a) = Tr(pi/2^^i/2). (3) 

This definition simplifies if one a = \'^){ip\ is a pure state. Then the fidelity of p and a is 

F{p,\ip){^\) = {ip\p\ip) (4) 

In the special case that | 99) = ^ n is the maximally entangled state, we call the fidelity of p and | ip) 
the fidelity of state p, and the definition simplifies to: 

F{p) = {^m\p\^n) (5) 
When the state p = |0)(0| is also a pure state, we have 

F{p) = F{\4>){4>\) = m^N)? 

and the fidelity is just the square of the inner product with ^tv- 

One property for the fidelity is: it is linear with respect to ensembles. 

Claim 1 Let p he the density matrix for a mixed state that is an ensemble {pi, \ (pi)}- The fidelity of p 
is the weighted averages of the qualities of the pure states: 



F{p)=Y,Pi■F{\^i){<t^^ 



This linearity is particularly convenient in some of the proofs in this paper. 

3 General Entanglement Purification Protocols 

3.1 The general setting 

Alice and Bob are given some entangled state in TL"^ ® T~^n- They are also given an auxiliary input 
0n^. Alice can perform unitary transformations on her part of the state (W^ Ti-^) 
and Bob can perform unitary transformations on his part (W^ <S> 'H^). Since those transformations 
only affect one part of the state, they are called local operations. Alice and Bob are also allowed to 
communicate classical bits but not quantum bits. This model is called LOCC (local operations and 



classical communication) | BBP+96a , N99 |. 



If the starting state is unentangled, applying LOCC operations keeps the state unentangled [ BBP+96a 
Thus, LOCC operations cannot create entanglement but they can be used to extract the entanglement 
that already exists in the state. 

We use the letter V to denote protocols for extracting entanglement by LOCC operations. At the 
end of a protocol V, Alice and Bob have two options: 
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1. They can abort and claim failure by outputting a special symbol FAIL. We denote this by V{p) = 
FAIL. 

2. They can output a (possibly mixed) state a in Ti^ 'H^j. We denote this by V{p) = a. 

We now define the error model. We first give an unsuccessful definition to illuminate some of 
difficulties that we face and to explain the reasons behind our final definition. 



3.2 Extracting entanglement from an arbitrary state 

Ideally, we would like to have a protocol that takes any entangled state in Tif^ ® with at least 
a certain amount of entanglement and extracts a state close to for some M < N. This would 
correspond the definition of extractors where extractor can transform any probability distribution with 
min-entropy at least m into a probability distribution that is close to uniform. 

Unfortunately, this is not possible, even if we restrict ourselves to starting states with the maximum 
possible entanglement. Unlike in the classical world where there is just one probability distribution over 
A'" elements with entropy logA^ (the uniform distribution), there are infinitely many quantum states 
with entanglement logA^. Namely, any quantum state of the form 

N-l 

|0) = ^a,|i)|i) (6) 

i=0 

with I Clip = for alH G {0, . . . , — 1} has entanglement logiV. In particular, this includes 

N-l 



for j £ {1, . . . , A^}. Assume that we have a protocol that extracts from any | 4>j). This means that, 
given \(j)j), the protocol ends with the final state of the from consider running this 

protocol on the mixed state p that is | cpo) with probability 1/N, | ^2) with probability 1/N, | (pN-i) 
with probability 1/N. Then, the final state is of the form "X" p' where p' is some mixed state. 

The problem is that p is equivalent to the mixed state that is | 0)| 0) with probability 1/A^, | 1)| 1) 
with probability 1/A^, | A^ — 1)| A^ — 1) with probability 1/A^. (This equivalence can be verified by 
writing out the density matrices of both states.) Neither of states is entangled, so the mixed state 

obtained by combining them is not entangled as well. Yet, since this mixed state is equivalent to p, it 
gets transformed into m ® p' which is entangled because ^ m is entangled. 

We have constructed a protocol that transforms an unentangled starting state into entangled end 



state without quantum communication. Since this is impossible [ BBP+96a ], our assumption is wrong 
and there is no protocol that extracts any ^ m from an arbitrary | (f)j). 

The argument described above is still valid if we relax the requirement to extracting a state close to 
and if we allow to use a perfect auxiliary state k- In the second case, we can get the perfect ^ k 
back but cannot get an entangled state of higher dimension. 



3.3 Extracting from a state close to m 

The reason for the problem in the previous section is that there are multiple maximally entangled 
states and combining them into a mixed state can cancel the entanglement and create a state with 
no entanglement. The consequence is that if we want to be able to extract entanglement we have to 
restrict ourselves to states that are close to one particular highly entangled state (rather than some 
highly entangled state). Therefore, we assume that the starting state is close to ^'a/Q- 

A common way to measure the closeness to ^' m is the fidelity (section p. 3D . This gives the following 
definitions. 

^The protocols can be modified to use any other fixed state of tlie form (h) instead of m 
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Definition 1 (Absolutely Successful GEPP) A General Entanglement Purification Protocol V is 
absolutely successful with parameter {N,K,AI,e,6), if for all states p such that F(p) > 1 — e, 

Prob [P{p) = FAIL] = 

and 

Prob [F{V{p)) >l-5] = l 

Definition 2 (Deterministically Successful GEPP) A General Entanglement Purification Proto- 
col V is deterministically conditionally successful with parameter (A^, M, e, if for all input states 
p such that F{p) = 1 — e, 

Prob [V{p) = FAIL] <p 

and 

Prob [F{V{p)) > 1 - (5 I V{p) + FAIL] = 1 

Definition 3 (Probabilistically Successful GEPP) A General Entanglement Purification Protocol 
V is probabilistically conditionally successful with parameter {N,K^M,e,5^p,q), if for all input states 
p such that F{p) = 1 — e, 

Prob [V{p) = FAIL] < p 

and 

Prob [F{V{p)) > 1 - (5 I V{p) / FAIL] >l-q 

Definition 4 (Efficient GEPP) A General Entanglement Purification Protocol V is efficient, if there 
exists a constant c such that V can he implemented by quantum circuits of size 0{{logN + logKY). 

4 Results 

4.1 Impossibility result for absolutely successful protocols 

Theorem 1 (a) For all absolutely successful General Entanglement Purification Protocols with pa- 
rameter {N,K,M,€,S), we have the following inequality: 

, M- K N 

> e. 

- M N -1 

(b) The bound in (a) is tight. For any integers N, M, K such that NK/M and M/K are both integers, 
there exists an absolutely successful GEPP with parameter {N, K, M,e, '^^^^ jv-i ^)- 

This shows that absolutely succesful protocols are quite weak. If we just want to extract the 
auxiliarly state and c more EPR pairs, then M = and we can achieve the fidelity of at most 
1 — ^2^7^^^ < 1 — (1 — which is less than better than 1 — e that we had at the beginning. If 
we want to get ^ k plus a linear number of EPR pairs, the improvement in fidelity is an exponentially 
small fraction of e. 

We prove theorem ^ in appendix 
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4.2 Constructions of conditionally successful protocols 

On the other hand, there are good conditionally successful protocols. 

Theorem 2 For all integers n,t,d such that n> t and any real e < 1/2, there exist efficient determin- 
istic conditionally successful general entanglement purification protocols of following parameters 

. (2-,(2--l),2-~*(2"-l),e,^,e) 
. (22",2" + l,2"(2" + l),e,^,e) 

) 2"-l ' V 2"-l /' ' 2" ' / 

for mixed states in the diagonal subspace. 

The first protocol achieves the smallest loss of EPR pairs, increasing the fidelity from 1 — e to 1 — ^ 
at the cost of losing just t EPR pairs. Is starts with n imperfect EPR pairs and an auxiliary state of 
dimension 2" — 1 and outputs a state of dimension 2"~*(2" — 1). The disadvantage is that we have to 
use an auxiliary state of almost the same dimension (2" — 1) as the state that we try to purify (2"). The 
second and the third construction use smaller auxiliary states but lose more EPR pairs. All 3 results 
are achieved by Simple Scrambling Protocol (appendix ^) using 3 different constructions of scrambling 
permutations (appendix^. 

The constructions fail with probability at most e. We can extend Theorem ^ to show that the 
trade-off between the probability of failure and increase in fidelity achieved by Theorem ^ is optimal. It 
might be possible to improve the theorem with respect to other parameters (the dimensionality of the 
extra state and the amount of entanglement that is lost if the prototocol does not fails). 

For states not in the diagonal subspace, we can construct a probabilistically succesful protocol with 
almost the same parameters. 

Theorem 3 For all integers n,t,l,d such that n > t, n > I and all real e < 1/2, there exist efficient 
probabilistic conditionally successful general entanglement purification protocols of following parameters 

. (2", (2" - 1)22*, 2«-*(2" _ 2e + i,) 

. (22", (2" + 1)22*, 2n(2n + 1), e, 2e + ^) 

. /ndn 2'*"-! r,2t o(d-l)n ^ 2'^" -1 \ ^ e , 1\ 

• \^ ) 2"-l ■ ' I 2"-l /' ^' 2*^' Y 2^' 2^/ 

We note that the extra probability of failure can be made arbitrarily small by increasing 

t. This theorem is shown by Complete Scrambling protocol which combines the Simple Scrambling 
protocol with another protocol, Hash-and-Compare (appendix |D|). 

5 Conclusions and Open Problems 

We investigated the problem of entanglement purification by Alice and Bob via LOCC. We used a very 
general model of the input state, where the only information Alice and Bob have is a lower bound on 
the fidelity of the input state. This contrasts with the previous models which assumed that the "noise" 
is identical and independent, or Alice and Bob have complete knowledge of the input state they share. 
Because of the generality of the General Error model, the techniques used in previous works don't 
appear viable. 

We defined three types of General Entanglement Purification Protocols. Absolutely successful 
GEPPs never fail, and they always output states that have very high fidelity. Deterministically condi- 
tionally successful GEPPs fail with small probability, and otherwise, they output states of high fidelity 
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with certainty. Probabilistically conditionally successful GEPPs fail with small probability, and other- 
wise output states of high fidelity with very high probability. 

We proved a negative result that there don't exist absolutely successful GEPPs of interesting pa- 
rameters, i.e., on average, the ability of Alice and Bob to purify the entanglement is very limited. 

We constructed efficient GEPPs that are deterministically conditionally successful for mixed states 
in the diagonal subspace (Simple Scrambling protocol) and probabilistically conditionally successful for 
an arbitrary state of sufficiently high fidelity (Complete Scrambling protocol). 

In our construction of the protocols, Scrambling Permutations play a very important role. We give 
3 different constructions of efficient Scrambling Permutations in Appendix ^. Each construction has its 
own advantage. By plugging them into the construction of Complete Scrambling protocol, we obtain 
different protocols with different parameters. We notice that the notion of Scrambling Permutations 
are closely related to universal hash functions. By being more lax on the "scrambling" property, they 
can have more efficient constructions than universal hash functions. 

There are several open problems: 

1. Remove the auxiliary input or reduce its size. In our paper, both the Simple Scrambling 
protocol and the Hash and Compare protocol need maximally entangled states as auxiliary input. 
The Simple Scrambling protocol needs them to "scramble" the coefficients of the input state, and 
the Hash and Compare protocol needs them to perform teleportation. In the final construction of 
the Complete Scrambling protocols, if Alice and Bob share an input of uq qubit pairs, they need 
to invest 0{no) perfect EPR pairs in order to perform the purification. It would be very desirable 
to reduce the number of auxiliary perfect EPR pairs as much as possible: the ideal case would be 
removing them completely, but even reducing them to o(no) would be interesting. 

2. Optimal GEPPs The Simple Scrambling protocol is optimal in the sense that the average fidelity 
of its output matches the upper bound of Theorem [l| asymptotically (in case Alice and Bob fail, 
they can output | Zm)"^ S?> | Zm)^ instead). However it is not true for Hash and Compare and 
Complete Scrambling protocols. Do there exist optimal GEPPs that work for all states? 

3. Relationship to classical randomness extraction. As we described in the introduction, we 
view the problem of extracting entanglement as a quantum counterpart of extracting randomness 
from a weak random source. There is also a similarity between the techniques used in those 
two problems. One of the main techniques used in the classical randomness extraction is the 
universal hash function, and we used scrambling permutations in our construction of GEPP. Are 
there deeper relationships between the two problems? Also, can some of the techniques from 
classical randomness extractors be used in the entanglement purification? Notice that the state 
of art in randomness extraction is that only logarithmic number of truly random bits need to be 



invested and almost all the entropy can be extracted [NT99|, whereas in the case of entanglement 
extraction, our constructions call for linear number of perfect EPR pairs to be invested and 
considerable amount of entanglement is wasted. Can we make the entanglement purification 
protocols more efficient, or are these inefficiencies inherent? 
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A Tight bounds on Absolutely Successful GEPPs 

We prove Theorem |l] in this section. 
A.l A Negative Result 

We show that on average, Ahce and Bob cannot increase the fidehty of their input state significantly, 
even if they have an auxihary input ^k- 

We first study a simpler problem. Suppose Alice and Bob share a maximally entangled state 
and some private ancillary bits, initialized to | 0). We describe this shared state by 

\<P) = {\ Zn)^ I Zn)"") 

The fidelity of this state is K/M by a simple computation. 

Alice and Bob try to convert state | cj)) as close to ^ m as possible by LOCC. The problem is: how 
close can they get? If M/K is an integer, Alice and Bob just trace out a subsystem of their ancillary 
bits to bring the dimension of each their subsystem to M, then they obtain a state 

I ^o) = (I Zm/k)^ ® I Zm/k)'') ® "^K 

which has fidelity K/M by a straightforward computation. In fact, this is actually the best Alice and 
Bob can do: 

Lemma 1 Let \ = (| Z^)^ \ Z^)^) a state in a bipartite system Tl^j^ ^ '^nk shared 

between Alice and Bob. Let a be the state Alice and Bob output after performing LOCC operations. 
Suppose that a is in the subspace Hf^ ®TLfj. We have F{a) < ■ 



This lemma is a direct corollary of a result by Vidal, Jonathan, and Nielsen |VJNOO|. There is also 
a simple direct proof in Appendix 

Proof: [Proof to Theorem |l], part (a)] 

We prove the theorem by demonstrating a particular mixed state p such that p has a fidelity 1 — e, 
and no LOCC can increase its fidelity to more than 1 — ^^^^ iv~i ^- 

Let e' = j^^- We define the state p to be 

p = (1 - e') • \^n){^n\ + e ■ \Z^ Z§){Z^ Z§\ 

In fact, p is the maximally entangled state with probability (1 — e') and the totally disentangled 
state Z^ (g) Z^ with probability e'. 

It is easy to verify that F{p) = 1 — e, since {'^n \ Z^ Z^) = 1/Vn and, therefore, 

F{p) = (1 - e')Fi\^N){^N\) + e'F{\Z^ Z§){Z^ ® Z^|) = (1 - e') + 1^' = 1 - (1 - l)e' = 1 - e. 
For an arbitrary GEPP V that never fails, we define 

fl = F{V{\^N){^N\)) 

and 

f2 = F{r{\z^^z§){z^^z§\)) 

Then we have /i < 1 and by Lemma ||, /2 < K/M. 

By the linearity of fidelity of quantum operations, we know that 

F(PW) = (i-.U + ^A<i-^.' = i " 



M M N -I 

We will prove the part (b) of the theorem in the next subsection. ■ 

Therefore, there don't exist absolutely successful GEPPs with very interesting parameters — we 
hope that our protocol is able to "boost" the fidelity of the input state to arbitrarily close to 1, but 
clearly this is impossible for absolutely successful protocols. 
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A.2 A Protocol That Matches the Bound 

We now prove the second part Theorem |l|, that the bound is tight. We do so by showing that there is 
a protocol that achieves this shght increase in fideUty. 

The input to the protocol is a state p in TL"^ ® H^. The protocol outputs a state in H"^^ (8) 
where M < N and M divides N. There is no auxiliary state used, i.e., K = 1. 

Construction 1 (Random Permutation Protocol) The input to this protocol is a state in Tifj 
The steps are: 

1. Alice generates a uniformly random permutation tt on N elements using classical randomness and 
transmits the permutation to Bob. 

2. Alice applies permutation it on mapping \ i) to \ i^{i)), Boh does the same on Ti^. 

3. Alice and Bob decompose TCn asTiM ® "Hl, L = N/M and measure the TCl part. 

4- Alice sends the result of her measurement to Bob, Bob sends his result to Alice. 

5. They compare the results. If the results are the same, they output the state that they have in 
Tifj (8) Ti-^j. If the results are different, they output \ Zm) ® \ Zm)- 

We start with the case when the state of Alice and Bob is in the diagonal subspace. 

Lemma 2 If the input state to the Random Permutation Protocol is in the diagonal subspace, the 
protocol is absolutely successful with parameters {N,l, M,e, l?^^)" 

Proof: Without loss of generality, we assume that the starting state is pure. Let | cj)) = X^^i ai\i)'^\i)^ 

be the starting state. For a permutation tt, let 17-,^ be the unitary transformation defined by C/tt (| i)^ | j)^) = 

1 7r(z))^| 7r{j))^ . Then, if Alice and Bob use a permutation tt, the resulting state is 

N N 

1=1 1=1 

There are A^! permutations vr on a set of A^ elements. Therefore, each of them gets applied with 
probability 1/A^!. This means that the final state is a mixed state of | (j)-,^) with probabilities 1/A^! each. 
We calculate the density matrix p of this state. It is equal to 

H2)<-i(7V) 
i(Af)<-i(JV) / 

We claim that all diagonal entries pa are equal to 1 /N and all off-diagonal entries pij , i ^ j are equal to 
some value a which is real. This follows from the symmetries created by summing over all permutations. 

Consider a diagonal entry pa. For each j £ {1, . . . , A^}, there are (A^ — 1)! permutations that map j 
to i. Therefore, 

N ^ ^ N 

Pii = - ly.j^aja* = ^ X] 

j=i ■ i=i 

SjLi lo^iP is the same as which is equal to 1. Therefore, pu = 



a^-i{2)<-i(i) "^-i(2)<-i(2) 
\ "7r-i{Ar)a*-i(i) "7r-i(Af)"^-i(2) 
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Next, consider an ofF-diagonal entry pij. For each k,l, k ^ I, there are (A^ — 2)! permutations that 
map k to i and I to j. Therefore, 



N N 

p^^ = Y. E 

fc=i i=i,i^k 



N 



N 



E E 

k=l l=l,l^k 



1 



N{N - 1) 



This immediately imphes that pij is the same for ah i ^ j. Also, notice that (a^a^)* = a*^ai. Therefore, 
Oik(y*i + aia\ is real and pij (which is a sum of terms of this form) is real as well. Let a = pij. We have 
shown that 

( jj a ... a \ 
a ^ ... a 



P 



N 



J 



Notice that the density matrix p can be also obtained from a mixed state that is ^'tv with probability 
Na and each of basis states with probability — a. 

We now consider applying steps 3-5 to those states. Measuring "H^ ^7i^ for | ^'tv) always gives the 



same results and leaves Alice and Bob with the state 
^m) is, of course, 1. Measuring Tif; and 7if for 



'M/ 

and Bob with some basis state 



M, 



in n^i 



B 



TL^. The fidelity of this state with 
also gives the same results and leaves Alice 
in the diagonal subspace of Tlf^ TL?j . The fidelity of this 



state and | ^'m) is jg. By Claim ||, if we apply those steps to the state p, we get that the final fidelity 



Na + N 



N 



11 f I 



(7) 



We now lower-bound a. By Claim |, F{p) = -^^Y.^ F{\(t)^)). Since permuting the basis states 



preserves the maximally entangled state = -^Yli=i 
the same as the fidelity of | 



, the fidelity of any 



IS 



F{P) 



a 



a 

N 



Therefore, F{p) = F{\(f))) > 1 — e. By applying the definition of fidelity. 



a 
a 



1 



1 



1 



iV2 ^ 'N 



N 



+(iV-l)a. 



Since F{p) > 1 — e, it must be the case that a > 
the final state with | ^k) is at least 



N-l ■ 



By substituting that into (0), the fidelity of 



M 



+ N 



1 

N 



N - 1 



1 

M 



N 
N-l 



1 

M 



e. 



To prove the second part of Theorem |l|, it remains to show that the protocol also succeeds for states 
not in the diagonal subspace. Let \ <p) he a state such that F{\ (j))) > 1 — e. We decompose 

10) = yr^i (/>!) + ^/^i 02), 

with I 0i) G and | ^2) G {H^)^ . Let F(| 0i)) = 1-5'. Since ^'at is in and | 02) is orthogonal 
to n^, we have F(| ^2)) = and F{\ (p)) = (1 - 5){l - 5'). Notice that (1 - 6){l - 6') > I - e because 
F(|V))>l-e. 

Applying C4 maps | 0) to | 0^) = Vl - 5\ 0^,i) + VS\ 0,^,2) where | 0,^,1) = Ut,\ 0i), | 07r,2) = U.^\ 02)- 
Since iT^- preserves the diagonal subspace, | 07r,i) G and | 0,7,2) G {TiP)'^ ■ Measuring Tif^ and W£ for 
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a state in HP always gives the same results and produces a state in the diagonal subspace of T~(-m ^"^m- 
Measuring Tif^ and Tif^ for a state in {liP)-^ either gives the different results for Alice and Bob or gives 
the same results but produces a state orthogonal to the diagonal subspace of (8> . 

The fidelity of the final state consists of two parts: the fidelity of the final state if Alice's and Bob's 
measurements of Ti^ give the same answer and the fidelity if measurements give the different answer. 
The first part is just {1 — 6) times the fidelity of the final state if the starting state was | (j)i) (instead of 
I (/))). Since | (/>i) is in the diagonal subspace, Lemma ^ implies that the final state of the protocol | cj)i) 
has the fidelity at least 1 — D5' where D = . Therefore, the first part is at least 

(1 _ _ D5') = (1 - 5){l - 5') + (1 - D)5'{1 - 5) (8) 

The second part is the probability of measurements giving different answers times the fidelity of the 
state I 0) ® I 0) which Alice and Bob output in this case. The fidelity of this state is and the probability 
of this case is given by 

Lemma 3 The probability that Alice's and Bob's measurements give different answers is S. 
Proof: First, we look at the state | </>2)- Since this state is in {TiP)^, it is of the form 

N 



Applying C/^ maps it to 



B 



The probability of Alice and Bob getting different results is equal to the sum of |«7r-i(j),7r-i(j)P over all 
basis I i)^, \ j)^ that differ in the Tii part. If this sum is averaged over all permutations vr, it becomes 
the same for all i,j, i ^ j. Therefore, the probability of Alice and Bob getting different results is just 
the fraction of pairs {i,j) that differ in the TIl part. It is because for each i, there are (A'^ — 1) 

j E {!,..., N}, j ^ i and M — 1 of them differ only in the fix but the remaining N — M differ in the 
Hl part. 

If the starting state is \(p), the probability of Alice and Bob getting different results is 6 times the 
probability for | 4)2) because | (/>) = \/l — ^1 4>i) + VS\ 02 ) and the measurements always give the same 
answer on | ) . ■ 

Therefore, the second part of the fidelity is ^J^i ^- Notice that 1 — D = 1 — j\^^jv-i) ~ 
(M- i)N-M(N-i) _ ^jV-M ^ ^ Thus, the second part is (1 — D)6 and the overall fidelity is at least 

(1 - 6){1 - 6') + (1 - D){1 - 6)6' + {1-D)6 = 1- D{6{1 - 6') + 6'). 

Since (1 — 6){1 — 6') > 1 — e, <5(1 — 6') + 6' < e. Therefore, the overall fidelity is at least 1 — De. This 
completes the proof of the second part of Theorem |l] for K = 1. 

For K > 1, we can just produce an entangled state of dimension M' = M/K without the use of 
I k) by the protocol above and then output this state and the original | ^ k)- This achieves the fidelity 
of at least 1 — De for D = ^j^^ = ^'^^mJW'W^ ~ proving that the bound of Theorem |l] 

(a) is tight ior K > 1 as well. 
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B Proof to Lemma |T| 



We give a (somewhat) simpler proof to Lemma|l]than the proof by Vidal, Jonathan, and Nielsen | VJNOO|] . 

For a self-adjoint matrix M, we define its spectrum written as to be a vector formed by the 

eigenvalues of M, and whose entries are sorted in a decreasing order. In other words, if the eigenvalues 
of M are Ai, A2, A^, where Ai > A2 > • • • > A^, then S{M) = (Ai, A2, A^). 

For a mixed state /o, if we write p as 

d 

P = ■ \(t)i){(t>i\ 

i=l 

where pi > P2 > • • • > Pd, and {!</>«)} is an orthonormal basis, then 

S{p) = {Pl,P2, ■■■,Pd) 

A useful Fact about the spectrum of a tensor product of two matrices is the following: 

Fact 1 Let A and B be square matrices such that the eigenvalues for A are {Ai, A2, A^} and the eigen- 
values for B are {;Ui,//2, ■■■,Pm}- Then the eigenvalues for the matrix A®B are {\i-pj}i=i,2,...,m, j=i,2,..,n- 

Proof: It is easy to verify that \i A - v = X - v and B ■ u = fj, ■ u, then {A^ B) ■ (v <^ u) = (X- fi){v u) 



and a corollary the above fact is: 

Corollary 1 Let , be the density matrices for quantum systems and TL^ . Then we have 

rank (/ p^) > rank (/) (9) 

Proof: Notice that the rank of a matrix equals the number of non-zero eigenvalues of this matrix. 
Since p^ is a density matrix, it has trace 1, and thus it has at least one non-zero eigenvalue — assume 
it is p,i. We denote the eigenvalues of by Ai, A2, A^, then by Fact [l|, Ai • ^1, A2 • ^1, Xm ■ Pi are 
all eigenvalues of p^ ■ p^, and they contain at many non-zero numbers as the eigenvalues of p^. ■ 

Proof: [Proof to Lemma ^ 

We consider an arbitrary protocol V between Alice and Bob involving only LOCC. We assume that 
V consists of steps, where each step could be one of the following operations 0: 

1. Unitary Operation: 

Alice (or Bob) applies a unitary operation to her (or his) subsystem. 

2. Measurement: 

Alice (or Bob) performs a measurement to her (or his) subsystem. 

3. Tracing Out: 

Alice (or Bob) discards part of her (or his) subsystem, or equivalently, traces out part of the 
subsystem. 

4. Classical Operation: 

Alice (or Bob) sends a (classical) message to the other party. 

^We assume that Alice have enough anciUary qubit at the beginning of the protocol and not more new ancillary qubits 
need to be introduced during the protocol. 
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We first convert this protocol V into another protocol V' in the following way: for each tracing-out 
operation Alice (or Bob) performs, we insert a measurement operation right before the tracing-out, 
and the measurement is a full measurement of the subsystem to be traced out. Notice that V will 
have exactly the same output as since the subsystem that was traced out isn't part of the output. 
However, V' has the property that for each subsystem traced out in the protocol, that subsystem is 
disentangled from the rest, since it is already completely measured. 

Now we analyze the new protocol V' ■ We denote the partial density matrix of Alice for the state 
1 4) by p^: 

/ = TrB(|0)(0|) (10) 

Since we know | precisely, we can compute precisely, and in particular, its spectrum. It is easy 
to verify that the spectrum of p"^ is 

5(p^) = (l//^,l/K,...l/K,0,0,...,0) 

^ V ' V ' 

K {N-1)K 

So the rank of p"^ (which is also the Schmidt Number of \(f))) is K. 

We focus on how p^ changes with the local operations Alice performs (apparently it doesn't change 
with Bob's local operations): we shall prove that the rank of p'^ never increases. There are 3 types of 
operations Alice can perform: unitary operations, local measurements, and tracing out a subsystem, we 
analyze them one by one: 

• Unitary Operations 

This operation changes a mixed state p^ to Up^W, where [/ is a unitary operation. Obviously 
the rank doesn't change. 

• Local Measurements 

Suppose measurement operator is {Mm} satisfying J2m ^mMm = I, and the measurement yields 
result m. Then Alice ends in state 

Again, we have rank (pm) ^ rank (p^). 

• Tracing Out a Subsystem 

We write = and we suppose that the subsystem H^^ is traced out. We write the 
partial density matrix for 7i^° as p^°, and we have p^° = TtAiip^)- 

We know that in protocol V' , the subsystem 7i^° is disentangled from the subsystem Ti.^^. Thus 
we have 

p^ = p^o ^ pA, 

for some density matrix p"^^ . and by Corollary ||, we have ra n k(p^o) < rank(/9^). 

So, as Alice and Bob perform local operations, the rank of the partial density matrix for Alice never 
increases. This fact remains true even if Alice and Bob perform classical communications (this just 
means that Alice has the ability to perform different local operations according to Bob's measurement 
result, but no local operation Alice performs can increase the rank). 

We denote the density matrix for the final state after the protocol V to be pE, and we define 
= Tt:b{pe) to be the partial density matrix for Alice. Then we have rank (p^) < K. Notice p"^ 
should be an M X M matrix since Alice and Bob are supposed to arrive at a state in Tlfj (8) Tl^ . We 
use Pq to denote the partial density matrix for Alice if we trace out the system Tif^ from the target 
state ^M- It is easy to verify that p^ = j^I, where / is the identity matrix. 
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By monotonicity of fidelity, we have 

F{pEA^M){^M\)<F{pi,p^) 

However, we have 

We write the spectrum of as 

5(p^) = (Ai,A2,...,Am) 
and we know that Aj^+i = Xk+2 = • • • = \m = since rank {p"^) < K. Therefore, we have 

M K 

1=1 1=1 

and thus 

Therefore we have 

F{pe)=F{pe,\^m){^m\) < F{pi,pi) < ^ 



C Constructions of Deterministically Conditionally Successful GEPPs 

We describe the construction of the "Simple Scrambling" protocol. This protocol is deterministically 
conditionally successful GEPP for input states in the diagonal subspace. 

The construction relies on a special family of permutations, namely the Scrambling Permutations. 
We give a definition of Scrambling Permutations first, and postpone the actual construction of these 
permutations to the Appendix 0. 

C.l Scrambling Permutations 

We define a class of permutations that would be useful in constructing the Simple Scrambling protocol. 
We work on functions over binary strings, and we use x o y to denote string x concatenated with string 
y. For finite sets A and B of binary strings, we define the concatenation of A and B to be set 

Ao B = {aob \ a £ A,b £ B} 

We will be working with 4 finite sets of binary strings, and we call them X, Y, G, and H. These 
sets have the property that X = G o H . We define N = \X\, K = \Y\^ W = \H\, L = \G\, and we will 
be using this size convention for the rest of this paper. Obviously we have = WL. 

Definition 5 (Scrambling Permutation) A class of parameterized function pairs {gy{x),hy{x)) of 
types Qy : X ^ G and hy : X ^ H is called a scrambling permutation pair of parameter (A, AT, L), 
or simply scrambling permutation, if the following 2 conditions are satisfied: 

1. (Permutation) For all y £ Y, x i — > gy{x) o hy{x) is a permutation in X. 
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2. (Scrambling) There exists a positive number p, such that or any pair of elements xi ^ X2 in X, 

Prob y[hy{xi) = hy{x2)] = p 

where the probability is taken over the y uniformly chosen from Y. We call this p the "collision 
probability". 

Furthermore, the pair will be called efficient scrambling permutation pair if both the function gy{x)ohy{x) 
and its inverse can be efficiently computed (i.e., has polynomial- size circuits). 

It is interesting to compare the definition of scrambling permutations to that of universal hash func- 



tions |CW7£, WC81]. On one hand, the scrambling permutations are permutations, while the universal 
hash functions don't have to be. On the other hand, the "scrambling" property in the scrambling per- 
mutation is weaker than that of the universal hash functions. For scrambling permutations, the function 
hy{x) only need to have a constant collision probability for all pairs (xi, X2). However, for universal hash 
functions, the setting is that Prob y[hy{xi) = a A hy{x2) = h] is the same for all (xi,X2,a, 6) tuples. 
Obviously, any universal hash function that can be extended to a permutation will induce a scrambling 
permutation. An example is the linear map construction {fa,b{x) = a ■ x + b, see |MR95|, page 219, 



or [ L96 |, page 85). However, there exist more efficient constructions of scrambling permutations — We 



postpone the detailed construction and discussion to Appendix ^, and we just state the results here: 

Theorem 4 There exist efficient scrambling permutations with the following parameters: 

• (2", (2" - l),2"-*,2*) 

• (22", (2" + 1)2^*, 2", 2") 

. (2'i«,|^£^.22*,2('^-i)",2-) 

where n,t,d are integers such that n > t. ■ 

A useful fact about Scrambling Permutation is that the collision probability p can be computed. 

Theorem 5 Let {gy{x), hy{x)) be a scrambling permutation pairs of parameter {N, K,W, L) . The col- 
lision probability p equals (L — 1)/{N — 1). 

Proof: We call a triple {xi,X2,y) a "collision instance", if hy{xi) = hy{x2)- Now we count how many 
such collision instances there are. There are two ways to count them. 

• For each (xi,X2) pair, there are K ■ p y's such that hy{xi) = hy{x2). So the total number of 
collision instances is 

Kp-N{N - l)/2 

• For each fixed hy{-), it is a function that maps X of size N to H oi size W. Since gy ■ hy is a 
permutation, the mapping hy{x) has to be an "even" one: for each u € H, there must be precisely 
L elements in X that are mapped to u. So the elements in X are partitioned into W subsets, 
each of size L. The number of pairs that are in the same subset is therefore W ■ L(L — l)/2. So 
the number of collision instances is 

K -W ■ L{L-l)/2 

The two ways should give the same result. Thus we have 

Kp ■ N{N - l)/2 = K -W ■ L{L-l)/2 

or 

L-1 

P 



N-l 
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C.2 The Construction of the Simple Scrambhng Protocol 



We describe the construction of the Simple Scrambhng protocol, which is deterministically conditional 
successful for input states in the diagonal subspace. 

First, we recall the definitions of the Fourier Operator and the Hadamard Operator. 

For a Hilbert space of dimension A^, the Fourier Operator is defined by the matrix F where the 
(x, ?/)-th entry of F is -^w"^'^, for x,y = 0, 1, — 1, where lo = e^~ is a root of the unity, and x ■ y 

denotes the integer multiplication. F is a unitary operator. We call its inverse, F^ , the Inverse Fourier 
Operator. 

For a Hilbert space of dimension N = 2^, the Hadamard Operator is defined by the matrix H where 
the {x, y)-th entry of H is '^{~^)^'^ i where x»y is the inner product of x and y, for x,y = 0, 1, A^— 1. 

This protocol is parameterized by 4 integers: N, K, W, L, such that there exists a scrambling per- 
mutation pair {gy{x), hy{x)) of parameter {N, K,W, L). 

Construction 2 (Simple Scrambling Protocol) The input to the protocol is a state p in Hjj®nfj. 
The protocol also has an auxiliary input of^K- The steps are: 

1. Alice and Boh both apply the scrambling permutation to their qubits: using the qubits from p as x 
and the qubits from ols y, and outputs the values of both functions and y: 

\x)\y) ^\gy{x))\hy{x))\y) (11) 

Here we identify the Hilbert space Wat Tix with Tii Ti-w Ti-K ■ 

2. Alice applies the Fourier Operator to the state \gy{x))^, and Bob applies the Inverse Fourier 
Operator to the state \gy{x))^. Then both measure these qubits in the computational basis. 

In the case that L is a power of 2, Alice and Bob can, alternatively, both apply a Hadamard 
operator to their states of \ gy{x)), instead of the Fourier and Inverse Fourier operators. 

3. Alice and Boh compare their results via classical communication. 

4. If the results are the same, they discard the measured state (or equivalently, trace out the subspace 
Hl), and output the remaining state, which is in Hilbert space Ti-y^K ^ '^WK- 

5. If the results are different, they discard everything and output FAIL. 



We point out that this protocol can be implemented by LOCC. In step 1, both Alice and Bob apply 

is a 



a scrambling permutation to their state. It is easy to verify that the mapping in Equation 11 



permutation and thus is possible to realize quantum-mechanically. Next, if the scrambling permutation 
is efficient, there exists a polynomial-size quantum circuit that implements it [LOl]. In step 2, Fourier 
Operators and Inverse Fourier Operators are applied by Alice and Bob, respectively. Fourier Operators 
exist for every A^ and when A'^ is a power of 2, there exists an efficient implementation of both the 
Fourier Operators and Inverse Fourier Operators. Also, in the case A^ is a power of 2, there exists a 
very efficient algorithm for performing Hadamard operators. Therefore we have: 



Claim 2 The simple scrambling protocol can be implemented by LOCC. Furthermore, if the scram- 
bling permutation used in the protocol is efficient and L is power of 2, the protocol can be efficiently 
implemented. 



C.3 The Analysis of the Simple Scrambling Protocol 

Now we prove a lemma that the Simple Scrambling protocol is deterministically conditionally successful 
for input states that are pure states in the diagonal subspace. 
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Lemma 4 If the input state to a Simple Scrambling protocol is a pure state in the diagonal suhspace, 
then this protocol is deterministically conditionally successful with parameter {N, K,WK,e, e) for 
e < 1/2. 

Intuitively, this lemma is true because the Scrambhng Permutation "shuffles" the coefficients of 
I 4>) very "evenly" . Then the Fourier operator (or the Hadamard operator) "mixes" all the coefficients 
together. Therefore when the protocol doesn't fail, the coefficients of the output state are much more 

"smooth" than that of \d>). 



Proof: We write the input state | (p) as 



\cf>) = J2c^x\x)^\xf (12) 



and we have that 

xex 

We denote Ylxex by D. Then we have 

2 

E 



l-e=\{<t>\^N)f = j^ 



ax 

x£X 

We will go through the protocol and keep track of the state. 



\D 



2 



N 



(13) 



1. The initial state for Alice and Bob is 

Ik = - 

'K 



V'l) = I ® = E E "=^1 ^ ° X o y)^ (14) 

xex yeY 

2. After applying the scrambling permutation, the state becomes 

I 4^2) = i E E ■ I Sy^^^ ° ^y^^^ °y)^-\ 9y{x) o hy{x) o y)^ (15) 
xex yeY 

3. After the Fourier and Inverse Fourier operators, the state is 

I ^3) = 7^ E E E E • a. • I o hy{x) oy)^.\gBO hy{x) o (16) 

^"^^ xex yeY qaGG ggeG 

Alternatively, if L is a power of 2, and Hadamard operators are used instead of Fourier and Inverse 
Fourier operators, the state is 

l^3) = 74^EE E T.(-^y'^'^'^'"''"'^-''--\9Aohyix)oy)^.\gj,ohy{x)oyf (17) 
^"^^ xex yeY QAeG ggeG 

In either cases, if Alice and Bob both measure their qubits and they both obtain the result g, the 
state becomes 

I ^4,g) = -A= E E ■ 1 5- o hyi^) °y)^-\9° hy{x) o y)^ (18) 
xeXyeY 

where A is a normalization factor. Notice that if Alice and Bob both discard the qubits | g)^ and 
I g)^ (which are disentangled from the rest), the resultant state is the same for different | g)^s: 
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Now let's compute A. 

To normalize | V's)) we can re-group the terms and re- write it as 



I^5) = 74pEE| E c^.\-\uoy)^.\uoyf (20) 



u&Hy&Y \hyix)=u 



Therefore we should have 



EE 

ueHyeY 



E ■ 

hy(x)=u 



Furthermore, we have 



EE E 

ueHyeY \hy{x)=u 



and thus 



EE E 

yeYueH \ hy{x)=u 

E E + E E («j;i«x2 +axiax2) 

ySFxeX yeY xiy^X2,hy{xi)=hy{x2) 

E E («xiQ:x2 +«xiax2) 

y€Y xiy^X2yeY:hy{xi)=hy(x2) 
E P-^("2:iai2 + 



■'a;2; 



XlJ^X2 



= K+pK 



E"^ 

K[l+p{\D\^-l)] 



-E 



a-. 



K[l+p{\D\^-l)] 

l+p(|D|2-l) 



l + ^^{N-l-Ne) 
L 

~ ^ Z,(JV-1) 



Notice A is the probability that Alice and Bob both obtain | g) for their measurement. There are 
L possible | g)'s that Alice and Bob can obtain. So the probability that Alice and Bob obtain the same 
result is 

L , iV(L-l) 



Prob [Alice and Bob obtain the same result! = -r-^ = 1 — e ^ , 

^ ^ A2 L{N - 1) 



> 1 -e 



22 



And the fidelity of is 

i"(l^5)(V'5|) 



1 A 



EE E . 

ueH y&Y \hy{x)=u 



A2 



A^ 
A^ 

(l-^)-A^ 
L 

1-e 



EE E 

uG-ff y&Y hy{x)=u 
2 



xex yeY 
\KD\'^ 



1 - e 



1-e 



Ar(L-l) 
L(7V-1) 

N -L 



1 



L(iV_i) 1 



e • 



N(L-l) 
L(N-l) 



> 1 - 2e • 
= 1 - 2e • 



N - L 
L{N - 1) 
W^- 1 
iV- 1 



> 1 



2W^ 



Therefore, if the input state | cf)) has a sufficiently high fidehty, then with high probability the Simple 
Scrambling protocol will succeed, and the resultant state, which is also a pure state, can have a much 
higher fidelity. 

Next, we prove that the Simple Scrambling protocol works without modification for mixed states in 
Diagonal Subspaces, with exactly the same parameters. 

Lemma 5 If the input state to a Simple Scrambling protocol is a mixed state in the diagonal suhspace, 
then this protocol is deterministically conditionally successful with parameter {N, K,WK,e, ^^e, e) for 
e < 1/2. 

Proof: We write the mixed state as an ensemble: {pi, \ 4'i)}i=i,2,...s- We use 1 — to denote the fidelity 
of pure state 4>i. Then we have e = Y^^Pi • by the linearity of fidelity. 

As in the proof to Lemma the protocol will succeed with probability 1 — • '^(^^Zi) ^oic state 



So the overall probability that the protocol doesn't fail is 

Prob [7'(|</.,)(<^,|) = FAIL] = Y^pi 



N{L - 1) 
L(iV- 1) 



N{L - 1 
L{N - 1) 



Pi ■ ei 
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N{L - 1) 
L(N -I) 
< e 

If we use Qi to denote the fidelity of the output of the protocol on state | conditioned on that it 
doesn't fail, then the overall fidelity of the output if the protocol doesn't fail is: 



Q 



E,Q^-K-Prob [V{\(t>i){4>i\) = FAIL] 
E.Pi-Prob [P(|0i)(0,|) = FAIL] 



iV(L-l) Pi 
L(N-l) 



N(L-l) 

^« ■ L{N-1) 



. N{L-1) 
'I- ' L(N-l) 



L{N~1) 
1 - e 



N{L-1) 
L{N-l) 

2W 



1-e- 
> 1 



So the Simple Scrambling protocol is deterministically conditionally successful even for mixed states in 
the diagonal subspace. 

■ 

Now we are ready to prove Theorem ^. 
Proof: [Proof to Theorem |2| We simply combine Theorem ^ and Lemma |5[ ■ 



D Toward the Diagonal Subspace: The Hash and Compare Protocol 

In this section, we present the construction of the Hash and Compare protocol. With high probability, 
this protocol converts any state of reasonably high fidelity into a state that is "almost completely" in 
the diagonal subspace. Therefore, if we combine this protocol with the Simple Scrambling protocol, we 
obtain a GEPP that is probabilistically conditionally successful for arbitrary states. 

Before describing the actual protocol, we give some motivations and intuitions behind it. Suppose 
Alice and Bob share a state of fidelity at least 1 — e. For simplicity, we assume that the state is a pure 
state, and we will show how to extend our result to mixed states later. We write the input state as | (/>) . 
In this situation, the Simple Scrambling protocol doesn't work anymore. Essentially what this protocol 
does is to "shuffle" and "mix" the coefficients in the diagonal subspace in a very "even" way to increase 
the fidelity. The Scrambling Permutation guarantees that coefficients in the diagonal subspace will be 
mixed "evenly". However it gives no guarantee for coefficients outside this subspace. Nevertheless, it 
is worth noting that the maximally entangled state, ^'tv, is completely in the diagonal subspace. So if 
I (j)) is close to ^'at, then a large "fraction" of | (j)) must lie in the diagonal subspace. 

We write 

\4') = a-\h)+P-\^^) (21) 



where 



is a vector in the diagonal subspace HP and 



Both vectors are normalized, and thus we have |ap + 



) is a vector orthogonal to HP subspace. 
1. Obviously we have n) =0 and 



thus 



> 1 



e. 



The Simple Scrambling protocol works well for state | </>|j), but does not work for state | So 
if we can first "eliminate" | or at least decrease its coefficient from /3 to a much smaller one, we 
can use the Simple Scrambling protocol to obtain a state with high fidelity. The Hash and Compare 
protocol does exactly this. 
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Construction 3 (Hash and Compare) The input to the protocol is a state p in the subspace Tiff (8) 
Ti^. The protocol also has an auxiliary input ^'5, where S = 2^ is a power of 2. The output of the 
protocol is a state a in H"^ ® TL^ . The steps are: 

1. Alice randomly generates s numbers ro, ri, r^-i G [N] and introduces s ancillary qubits, \ bo), \ bi), | 
all initialized to | 0) . 

2. Alice performs s unitary operations: 

\x)\yj) — ^ \x)\yj(B{x»rj)) 
She uses the qubits from state p as x, and the ancillary qubit \ bj) as yj, for j = 0, 1, s — 1. 

3. Alice send ro,ri, ...,rs-i to Bob. 

4. Alice and Bob engage in s teleportation protocols. They use the shared state '^s o,s s EPR pairs, 
to teleport the s ancillary qubits \ bo)"^, \ 61)^, | bg-i)"^ from Alice to Bob. Then Alice discards 
all her ancillary qubits. Bob obtains the qubits \ 60)^, | bi)^, \ bg-i)^ . 

5. Bob performs s unitary operations (the same operations as Alice did): 

\x)\yj) — > \ x)\yj®{x»rj)) 

He uses the qubits from state \ (p) as x, and qubit \ bj)^ as yj, for j = 0, 1, s — 1. 

6. Bob measures all his ancillary bits \ 60)^, | 61)^, | bs-i)^ . 

7. If all the results of the measurements are 0, Bob discards all the ancillary qubits. Then Alice and 
Bob output the remaining state, which is in Hilbert space TC^ 'Si H^. 

8. If not all the results of the measurements are 0, Alice and Bob discard everything and output FAIL. 

We point out that the Hash and Compare protocol can be efficiently implemented. 

Now we prove that the Hash and Compare protocol will bring the input state | <j)) to another state 
that is "almost" in the diagonal subspace. 

First, we extend the definition of fidelity. We define the fidelity between a pure state | ip) and a 
linear subspace L to be the square of the length of the the projection of | if) on L. Alternatively, we 
have 

F(|(^),L)= max|(99|V)|' (22) 

l'/'>GL 

Now we state and prove our lemma about the Hash and Compare protocol. 

Lemma 6 Let state be a pure state of fidelity at least 1 — e, where e < 1/2. // 1 <p) is the input state 
to the Hash and Compare protocols, then the probability this protocol outputs FAIL is at most e. Given 
that the protocol doesn't fail, we use \ ip) to denote the output state, which is a pure state. We have 
i^(|^)(^|) > 1-e, and 

Proh[F{\i^),n'^)>l~^e]>l-^ 



Proof: We write the state | 6) as 



= E E ^-a,^b\^a)^\^b)^ (23) 



and we have 
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Comparing this to Equation 21, we conclude that 



2 _ l„, |2 

x,x I 



x&X 

We go through the protocoh 

1. The initial state for Alice and Bob, excluding the auxiliary input is: 

l</'l)= X] X] (^xa,xb\xa)^\xb)^ 
XA&X xb&X 

2. After Alice introduces her ancillary qubits and done with the t unitary operations, the state is: 

102)= ^ ^ a^^^xg\xA)'^\xA» ro)'^\xA» n)"^ ■ ■ -{xA* rs-i)'^\xB)^ (24) 

Xa&X Xg^X 

as we can see, the ancillary qubits are entangled with the qubits from | (p) . 

3. After the teleportation, Alice's ancillary qubits becomes disentangled from the qubits of | </>), and 
after discarding all the ancillary qubits of Alice, the state becomes 

\4'3)= ^ 'Y axA,XB\xA)'^\xB)^\xA»ro)^\xA»ri)^ ■■■\xA»rs-i)^ (25) 

Xa&X Xg£X 

4. After Bob has done with his unitary operations, the state becomes 

1^^)= Yl Yl (^^A,XB\xA)^\xB)^\{xA®XB)»ro)^\{xA®XB)»ri)^ ■■■\{xA®XB)»rs^i)^ (26) 

Xa&X Xg£X 

5. Next, Bob measures all his ancillary qubits. Now it should be clear that if the state Alice and 
Bob start with, 1 1;^), is indeed in the diagonal subspace, then all the measurements will yield 
with probability one, since we have xa = xb for all non-zero Ox^^xg^s. 

Now that I (j)) is not in the diagonal subspace, but it is close. Thus intuitively. Bob should have a 
high probability getting all O's in his measurement. 

We do a more formal analysis: we denote by Z the subset of [N] whose elements have inner 
product with all tq, ri, r^-i: 

Z = {x\x £ [N], x»rj = 0,j = 0, - 1} 



We group 


all the terms 


in Equation |2^ into 3 parte 












\(f)^) = iPq) + Ai 




+ A2 • 




where 












Ao • 1 V'o) 


— ^ '] ^x,x 


|x)^|x)^|0)^---|0)^ 










xex 










Ai-lVi) 


E 


axA,xg ■ 1 xa)^\ xb)^ 


of- 


••|0)^ 






XAJ^Xg,XAQ 










A2 • 1 tp2) 


E 


axA,xg ■ 1 xa)'^\ xb)^ 


(xA ( 


Bxs) • 


ro)^\{xAexB)»ri)^ 



xa¥'Xb,xa®xb^Z 



26 



Both \ il>o) and 1-01) have ah O's in the ancillary qubits of Bob, while | ^2) doesn't. All these 3 
states, I iJjq), \ ijji) and 1 1^2) are orthogonal to each other. 

We again write 

and we notice that Aq = a, and | ipo) = \4>\\) ^\ Zt)^ 

Therefore the probability that Bob obtains all-zero in the measurement is at least |Aop = |ap > 
1-e. 

After the measurement, and if is result is indeed all-zero, the state will become 

I V') = „ • (Aol 0o) + All Vi)) (27) 

vlAor + |Air 

where | 0o) is in the diagonal subspace HP and is orthogonal to the HP . The fidelity of | ■0) 

and is , 't'", — =. 

V|AoP+|Ai|2 

Now we can prove that the fidelity of | ■)/') is at least 1 — e: 

(V|*iv) = ^=^L==(0o|*iv) + ^=^L==(0i|*jv) 



(AoV'o I ^n) 



V|AoP + |Ai| 



2 



V|AoP + |Ai|2 
> (0|*7v)>l-e 

Essentially, the hash and compare protocol leaves the coefficients in diagonal subspace untouched, 
and eliminates part of the "off-diagonal" coefficients. Therefore, after the re-normalization, the 
coefficients in the diagonal subspace will not decrease, and thus the fidelity of the output state is 
at least 1 — e. 

Now we estimate the magnitude of Ai: we have 

Notice that Ai is actually a random variable since the ro, ri, rf_i are randomly chosen by Alice. 
Notice that each pair 7^ a^s, we have 

Prob r[{xA e xs) • r = 0] = 1/2 

and thus for random ro , r 1 , . . . , _ 1 , the probability that all (x ^ © ) • r j results in for j = , 1 , . . . , s — 1 , 

is l/2^ 

In other words, the expected value of |Aip is 

= ^ Prob ro,ri,...,r,_i[a;^ © G Z] • |ax^,xsP 
XA^'XB 

~ OS ^ l"a:A,a;Bl 



2* 



< 1 

- S 
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and thus by Markov Inequality, we have 

P.obBA.r<-^)<-L 

Therefore, with probabihty at least 1 — we have |Aip < In that case, the fidelity of | V') and 
the diagonal subspace is 



> 



lAr 



|2 



|AoP + |AiP 
1-e 

1 - 



when e < 1/2. ■ 

Now, we can put everything together: for a general state p, we first apply the Hash and Compare 
protocol to p to make it "almost completely in" the diagonal subspace Ti^ . Then we apply the Simple 
Scrambling protocol to enhance the fidelity. We describe the complete protocol in more details: 

Construction 4 (Complete Scrambling Protocol) The Complete ScramMing protocol is parame- 
terized by a quintuple: {N, K, W, L, S), such that there exists a Scrambling Permutation pair {gy{x), hy{x)) 
of parameter {N, K,W, L) , where S is a power of 2. The input to the protocol is a (mixed) state p in 
space Ti-^. The protocol also has an auxiliary input ^t, where T = S ■ K . We can also write the 
auxiliary input o,s ^'5 ^k- The steps are: 

1. Alice and Bob engage in the Hash and Compare protocol, using the input state p as the input, and 
part of the auxiliary input, ^'5 as the auxiliary input. 

2. If the Hash and Compare protocol fails, Alice and Bob output FAIL and terminate. 

3. If the Hash and Compare protocol succeeds, it will output a state a. Alice and Bob then engage 
in the Simple Scrambling protocol, using u as the input and the other part of the auxiliary input, 
'^K o,s the auxiliary input. 

4. If the Simple Scrambling protocol fails, Alice and Bob output FAIL and terminate. 

5. If the Simple Scrambling protocol succeeds, a state r will be output, and Alice and Bob output r. 

It is obvious that the complete scrambling protocol can be realized quantum-mechanically, and if 
the scrambling permutation used in the protocol is an efficient one, and L is a power of 2, the protocol 
can be realized efficiently. 

Lemma 7 The Complete Scrambling protocol is a probabilistic conditional successful GEPP with pa- 
rameter {N, SK, WK, e, + 2e + ^ '^)- V Simple Scrambling protocol used inside the 
complete protocol is efficient, then so is the complete protocol. 

Proof: To prove this lemma we need some claims about fidelity: 
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Claim 3 (Monotonicity) For any (mixed) states p and a and any quantum operator £ (not necessarily 
unitary), we have 

F{£{p),£{a))>F{p,a) (28) 



It is a well-known result |NCOO|. 



Claim 4 (Triangle Inequality) For any 3 pure states \A), \B) and \ C) in the same Hilhert space TC 
such that F{\ A),\ B)) = 1 — e and F{\A),\C)) = l — 5, where both e and 5 are real numbers between 
and 1/2. then we have 

F{\B),\C))>l-2{e + 5) 



Claim 5 (Relationship to Statistical Distance) Let p and a be 2 mixed states in the Hilbert space 
7i such that that F{p,a) = 1 — e. Let £ be an arbitrary quantum operation over 7i that ends with 
a measurement. We use Mp and to denote the random variables describing the outcomes of the 
measurement of £ on input p and a, respectively. Then the statistical distance between Mp and is 
at most v^. 

We prove Claim |^ and Claim ^ in Appendix ^ 

We first consider the case that the input state is a pure state | ^) . By Lemma with probability at 
least 1 — e, the Hash and Compare protocol will succeed. In the case it succeeds, the output state | ijj) 
will have a fidelity at least (1 — ■^) with the diagonal subspace TiP with probability 1 — We define 

a "good event" to be the event that | if)) has fidelity at least (1 — ■^) with TiP . Then the probability a 

good event happens is at least 1 We focus on the good events. We write the normalized projection 

of I ijj) to HP as I Tpv)- So we have 

F{\i,),\^v))>l-^ 



In other words, the fidelity of state | ip) and the state | iJjx)) is at least 1 — If Alice and Bob, 
instead of feeding | V'), had fed | V'X') into the Simple Scrambling protocol, they would have succeeded 
with probability at least 1 — e, and output a pure state | V'^p) of fidelity at least 1 — However, since 
Alice and Bob don't feed | ipv) into the Simple Scrambling protocol, they don't get | ijj^) back: rather 
they get a state | il)^) if they don't fail^ By the monotonicity of fidelity, we have that 

(V''l^i)>(V'l^7?)>l-^ (29) 

Combining Equation ^ with the fact that F(| V':d)' I '^wk)) > 1 — we have, by Claim ^ 

77 AW 4 

F{\i^^),\^WK))>l-{^ + ^)e 



We denote by p the failing probability of the Simple Scrambling protocol on input | ip) , and pj) the 
failing probability on input | V'l')- Then we have, by Claim |5|, 

\p-Pv\ < 




'it is easy to check that the Simple Scrambhng protocol always outputs a pure state if the input state is pure. 
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Putting things together, we have: with probabihty at least 1 — 2e — y the Complete Scrambling 
protocol succeeds. In the case it succeeds, it outputs a state | V'^) of fidelity at least 1 — + 
with probability at least 1 — 

Next we consider the case that the input state is a mixed state p. We have F{p) > 1 — e. We write 
p as an ensemble {pi, | </>«)}• For each pure state | </>i), we assume that it has fidelity 1 — e^, and then by 
the linearity of fidelity, we have YliPi^ ~ ^- The analysis above works for each pure state | ipi): for each 

pure state | (pi), with probability at least 1 — 2ej — \J the Complete Scrambling protocol succeeds. 
In the case it succeeds, it outputs a state | ipf) of fidelity at least 1 — + with probability at 

least 1 — The fidelity 1 — + is a linear functions in ej , and 1 — 2e — \J^^ is a convex 

function. So overall, the Complete Scrambling protocol succeeds with probability at least 1 — 2e — \J 
In the case it succeeds, it outputs a state | ip^) of fidelity at least 1 — + with probability at 
least 1 — ■ 

Now we are ready to prove Theorem ^. 
Proof: [Proof to Theorem |3| We simply combine Theorem ^ and Lemma |^ and choose = 2^*. ■ 

E Constructions of Scrambling Permutations 

We discuss various constructions of Scrambling Permutations. 

For a binary string S = siS2---Sn, we define the left sub-string and the right sub-string of the string 
S as follows: 

LEFT(/c,5) = siS2..-.Sk 

RIGHT(A:,5) = Sn-k+lSn-k+2---Sn 



Obviously we have 

LEFT(A:, S) o RIGHT(n -k,S)=S 

The first construction is a very simple one, and it is very closely related to a construction of universal 
hash functions. 

Construction 5 (Multiplication-table Scrambling Permutation) We work inGF2n, where each 
element is a polynomial of degree at most n — 1, and can be written as 

ao-\- ai - Z ^ h ttn-i ■ Z"-^^ 

We identify each element with an n-bit binary string in the most straight-forward way. We set X = Gi<2" 
and Y = G-F|n = X\{0}, where is the additive identity in GF2n. We can pick an arbitrary I, such 
that 1 < I < n. Then we let G = {0, 1}' and H = {0, The functions are: 

gy{x) = LEFT(/,x-y) 
hy{x) = RIGHT(n-/,x-y) 



and we have N = 2"^ , K = - I, L = 2\ and M = 2""'. 

Notice that a very common construction for universal hash functions over Gi*2" is hy^z{x) = x-y + z, 
and our construction can be viewed as a sub- family of this universal hash family, by setting z = 0. Our 
construction here is not a universal hash function family, but is more efficient. 
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Lemma 8 The function pair given in Construction is an efficient Scrambling Permutation pair. 



Proof: It is obvious that {gy{-), hy{-)) is a permutation, since 

gy{x) o hy{x) =x-y 

is a permutation for y ^ 0. 

Now let's prove that for any xi ^ X2, Prob y[hy{xi) = hy{x2)] is always the same. This is actually 
not hard: we have hy{xi) = hy{x2), iff 

(xi -x2)-y = mod (Z"-') 

There are exactly 2^ elements in GF]\f that are multiples of and so there are exactly 2' y's 

that satisfy the equation. However, one such y is and has to to be excluded. So the probability is 
p = (2^ — l)/(2"' — 1) = (L — 1)/(A^ — 1). This is true for every pair xi ^ X2- 

Finally, both the permutation and its inverse can be implemented efficiently (only field multiplication 
and inversion are involved). So this scrambling permutation is efficient. ■ 

A word about efficiency: it is desirable for us to construct families of scrambling permutations of 
relatively small K and L, as compared M: In the Simple Scrambling protocol, where the Scrambling 
Permutation is used, is the dimension of the input state that Alice and Bob try to purify, which 
is normally fixed; K is the dimension of maximally entangled state Alice and Bob invests; M is the 
"yield" of the protocol, or the dimension of the output; L is the dimension of the subspace Alice and Bob 
discard. So the Simple Scrambling protocol invests about logJC perfect EPR pairs and discard about 
logL amount of entanglement. For the Multiplication-table construction, K is almost as large as A^, 
which is a disadvantage since Alice and Bob has to invest as many perfect EPR pairs as the imperfect 
ones they try to purify. However, the L in this construction is fully adjustable, and it provides a nice 
trade-off between the yield Alice and Bob wish to obtain and the fidelity of the output (the greater L 
is, the less the yield is, and the higher fidelity the output has). 

Below is another construction: 

Construction 6 (Linear Function Scrambling Permutation) We work in Gi<2", and let X = 
GF2n X GF2n. Therefore each element in X is represented by {xq,xi). We let Y = Gi<2" U {-L}, where 
J- is a special symbol. 

Both functions gy{{xo, xi)) and hy{{xQ,xi)) output elements in GF2^ and the actual functions are 
defined as follows: 



gyi{xo,xi)) 
hy{{xo,xi)) 



XO if y G GF2n 

Xl if y =_L 

xq - y + Xl if y G GF2n 



xo if y =± 

and we have N = 2^", if = 2" + 1, M = 2", and L = 2". 

Lemma 9 The function pair given in Construction is an efficient Scrambling Permutation pair. 

Proof: It is easy to verify that for any y, gy{{xo,xi)) o hy{{xo,xi)) is a permutation. 

Next we prove the scrambling property: for any pair of inputs x = {xq, xi) and x' = {x'q, x\): 

• If Xo / Xq, then the unique y = (xi — x'l) ■ (xq — Xq)~^ makes hy{{xo, xi)) = hy{{xQ, x'l)). 
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• If Xo = x'q, then the unique y =_L makes hy{{xQ,xi)) = hy{{xQ, x'l)). 

Finally, it is easy both the permutation and its can be computed efficiently, and thus the linear function 
construction is an efficient Scrambling Permutation pair. ■ 

In this construction, K is about the square root of N, which is much better than the Multiplication- 
table construction. However, L is fixed, and we don't have the flexibility as in the Multiplication-table 
construction. However, we can extend this construction to a class of Scrambling Permutations, and 
resolve the flexibility problem. 

Construction 7 (Extended Linear Function Scrambling Permutation) We work in , and 
let X = GF^n, where d is an integer. Therefore each element in X is represented by a d-tuple 
{xo,xi, We let Y = Ufc=o^-^2"' where we define GFgl = {-L}- 

The function gy {{xq,xi, Xd-i)) outputs an element in GF2n and the function hy {{xo,xi, Xd-i)) 
output a {d — l)-tuple in GF2n : For any y £ Y, we write y = {yo, yi, yk~i), where < k < d. 

gy{{xo,xi, ...,Xd~i)) = Xk 

hy{{xo,xi, ...,Xd-i)) = {xo + Xk ■ yo,xi + Xk ■ yi, ■■■,Xk~i + Xk ■ yk-i,Xk+i,Xk+2, ■■■,Xd-i) 
and we have N = 2^^", K = ^^T' ^ = 2(^^-1)", and L = 2". 
Here is a concrete example for d = 4: 



y 


9yix) 


hy{x) 




Xo 


Xi , X2 , X3 


y = (yo) 


Xi 


xo + xi-yo , X2 , X3 


y = (yo,yi) 


X2 


xo + X2-yo ,xi+x2-yi , X3 


y = (yo,yi,y2) 


X3 


Xo + X3 ■ yo , xi + X3 ■ yi , X2 + X3 ■ y2 



Lemma 10 The function pair defined in Construction is an efficient Scrambling Permutation pair. 

Proof: The permutation property is obvious, and it is easy to see that both the permutation and its 
inverse can be computed efficiently. 

Now the scrambling property: given any pair x = (xq, xi, x^-i) and x' = {x'q, x[, x'^_^) . we 
show that there is always a unique y such that hy{x) = hy{x'). We define k to be the largest index such 
that Xk / x'^. Then for y G GFl^n, 

1. If / < k, then the A;-th entry in hy{x) is x^, and it is different from the fc-th entry in hy{x'), which 
is x'^; 

2. If / = k, we are effectively solving a linear system: 

xo + Xk-yo = x'o + x'l^ ■ yo 
xi+Xk-yi = x[ + Xfc • yi 

Xk-i + Xk-yk-i = x'^,_i -hx'fc • 



and it has a unique solution 

yo = {xo - x'o) ■ (Xfc - Xfc)"^ 

yi = (xi - x'l) • (xfc - x';,)"^ 



yfc-i = (a^fc-i - Xfc_i) • (xfc - x' 
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3. If / > k, the A:— th entry of x is + Uk ' x^+i, and it is different from the k-th entry of x' , which 
is x'^ + Uk ■ Xk+i, since Xk / x'f., while Xk+i = x'^+i- 

So there exists a unique y £ Y such that hy{x) = hy{x'). ■ 

The extended hnear function construction gives a class of Scrambling Permutations of different 
parameters: for a fixed A^, we can pick a construction such that K is about N^^^^^^^ and L is about 
j\j-i/d £qj, ^j^y ij^teger d. When d = 2, the extended linear function construction becomes the linear 
function construction. So we get back some flexibility: not only in K, but also in L. 

Of course, one question is: how good are our constructions in terms of the size of K and L as 
compared to A^? We hope K and L are as small as possible, and how small can they be? We have the 
following theorem which essentially says that the Extended Linear Function construction is optimal in 
terms of the size of K and L. 

Theorem 6 Let {gy{x),hy{x)) be a scrambling permutation pairs of parameter {N,K,M,L). We have 
N < KL. 

Proof: First, by Theorem ^, we know that the collision probability p = {L — 1)/{N — 1). 

Recall that p is the probability that a random y £ Y satisfies hy{xi) = hy{x2), and thus it is at least 
1/K. Therefore we have 

1 L-1 
K - N -1 

or 

- 1 N 

K > > — 

- L-1 - L 



It is easy to see that the Extended Linear Function construction achieves this bound asymptotically. 
We summarize the 3 constructions in the following table, which essentially proves Theorem ^ 



Construction 


N 


K 


M 


L 


Comments 


Multiplication-table 


2" 


2" - 1 


2n-l 


2' 


Fully adjustable L, not optimal 


Linear Function 


22n 


2" + 1 


2" 


2" 


Minimal K among all constructions, optimal, inflexibl 


Extended Linear Function 


2^71 


2"-l 




2" 


Optimal, flexible K and L 



F Proofs to Two Claims About Fidelity 

We give the proofs to 2 claims about fidelity that are used in this paper. 

Proof: [Proof to Claim Q Notice that |^), \ B) and | C) are vectors in Ti. We denote the angle 
between | ^) and \ B) hy 6ab, and define 6bc, and 9c a accordingly. Then it is easy to see (by the 
triangle inequality), that 9bc < ^AB + 6 AC- It is also easy to see that cos 9 ab = {^ \ B) = \/l — e and 
cos 9 AC = {^ \ C) = \/l — (5 Therefore, we have 

{B\C) = cos 9bc 

> cos{9ab + 9ac) 

= cos 9ab cos 9 AC — sin 9ab sin 9ac 
= y/{l-e){l-5)-V7d 

> Vl-2(e + 5) 

where the last step is a simple algebraic deduction. 
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Proof: [Proof to Claim H] We use D{p, a) to denote the trace distance between p and o", and we 
have lNCOOfl 

D{p,a) < Vl-F{p,a)=V~e 
However the statistical distance between Mp and Mu is bounded by D{p,a), which is bounded by ^/€. 



34 



